Page 17 - index
P. 17
Twenty Critical CSIS Security Controls: Part Four
Wireless Device Control and Data Recovery Capabilities
by Adam Montville, Security and Compliance Architect
Synopsis: The 20 Critical Controls really view wireless as special, holding on to the lingering “newness” of
wireless and still not able to recognize that wireless is just another thing we need to secure. For Data
Recovery Capabilities, the devil in these details is key management, which is something that might be
mentioned by some Control Frameworks, but is a subject about which most steer clear.
In the first installment of this series we covered the “Inventory of Authorized and Unauthorized Devices”
and the “Inventory of Authorized and Unauthorized Software.” In the second article we looked at two
more Controls designed to offer guidance on managing secure hardware and software configurations on
a variety of devices, as well as the implementation of continuous vulnerability assessments and
remediation efforts.
In part three we looked at how the SDLC is, though aided by automation, largely a human-performed
activity in that humans are the architects, designers, developers, and quality assurance folks.
It’s time to take a closer look at Controls 7 and 8 of the CSIS 20 Critical Security Controls which deal with
Wireless Device Control and Data Recovery Capabilities, respectively (I consulted the PDF version, but
the online versions are here and here).
Before getting started with the key take aways for Controls 7 and 8, I must reassert that each control we
examine will include a set of requirements that you really should be taking directly to your security tool
vendors. When you do, do not just take their word for it if they tell you they meet the 20 CSC
requirements – make them really dig down and prove it to you. These controls are that important to
your organization.
Wireless Device Control
In a Nutshell:
Wireless Is (Not) Special. Be practical in your treatment of wireless devices and use common
sense. You can take this for what it’s worth in your organization, but the 20 Critical Controls
really view wireless as special – as do many other Control Frameworks. I think we’re still holding
on to a lingering “newness” to wireless and still not really able to recognize that wireless is just
another thing we need to secure. I found many of the requirements to be better suited for
Controls 1, 3, or 10.
Marry Wireline and Wireless Requirements. Don’t treat the requirements for device
authentication and access control as separate for wired and wireless networks – you’ll operate
less efficiently if you use different technologies. Does wireless have requirements that differ
from wired networks in some cases? Of course, they use a different physical medium, for
17 Cyber Warnings E-Magazine – August 2013 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
